Support for Custom Certificate extensions


When I am trying to Sign the certificate request with custom certificate extensions using PKI engine from Vault , the custom extensions are missing in Signed certificate response.

Is there any option available to configure to ensure that these custom certificate extensions from CSR are copied even in the signed certificate response?


No, I don’t think there is any option for copying custom extensions - other than the sign-verbatim endpoint, but at that point, Vault is enforcing no restrictions whatsoever on what can be signed, so then you need your own trusted policy enforcer outside of Vault, to manage what gets submitted to the sign-verbatim endpoint.